Wazuh Setup with Switch HP L2
631 views
Skip to first unread message
Atlas Atlas
Mar 6, 2023, 6:24:36 PM3/6/23
to Wazuh mailing list
Hello,
Can someone help please ?
i have downloaded wazuh.ova VM and i had found rsyslog in it.
So i started by activate rsyslog listenning in port UDP:514 and configure switch to send log to it.
the problem is that i receive syslog to rsyslog but some of them like "authentification failed" i can found them in wazuh dashbord. And like logout and login syslog i didn't ?
what can be the issue ?
Example of syslog i didn't found :
Mar 6 21:53:45 LTA-SW2-PI-1 USER_MGR[tRpcsrv.00001]: user_mgr_util.c(1655) 440 %% HTTP Session 19 ended for user admin connected from 10.1.1.10
Mariano Koremblum
Mar 6, 2023, 7:31:44 PM3/6/23
to Wazuh mailing list
Hi Atlas,
Please, let me get this right. Has the log, that you have shared with us, been received but it is not displayed on the dashboard?
How do you know that it is being received? When you say that you send logs to the server, are they collected from a file or directly received by the manager?
Regards,
Mariano Koremblum
How do you know that it is being received? When you say that you send logs to the server, are they collected from a file or directly received by the manager?
Regards,
Mariano Koremblum
Atlas Atlas
Mar 7, 2023, 11:35:07 AM3/7/23
to Wazuh mailing list
hello Mariano,
Thank you a lot for replying to my message.
to explain more :
> im a beginner in SIEM ( WAZUH )
STEPS I HAD DO :
- i downloaded the Wazuh.ova VM from website
- import it to proxmox
- start it and configure static ip 10.1.1.100
- Searching for rsyslog that i found already installed in wazuh.ova VM
- i opened rsyslog to start listenning in UDP port 514 by going to :
- path vi /etc/rsyslog.conf
- # Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
- i checked that rsyslog ( in same with wazuh.ova VM) start listenning in UDP port 514 with command : sudo ss -tulwn
- i configure switch to send logs to rsyslog in UDP port 514
- and i checked in same time that rsyslog receive this log and store it in path : cat /var/log/messages
- and it shows me the logs of switch
ISSUE :
- when i go to wazuh dashbord i found some logs and some others no
- Like wazuh collect "Failed authentification" and did not show like this " Mar 6 21:53:45 LTA-SW2-PI-1 USER_MGR[tRpcsrv.00001]: user_mgr_util.c(1655) 440 %% HTTP Session 19 ended for user admin connected from 10.1.1.10 "
Mariano Koremblum
Mar 7, 2023, 1:18:56 PM3/7/23
to Wazuh mailing list
Hi again Atlas,
Everything looks fine so far, if you check the log with our wazuh-logtest tool, you will realize that such a log is not currently supported by the default ruleset, as you can see here:
# /var/ossec/bin/wazuh-logtest Starting wazuh-logtest v4.3.10 Type one log per line Mar 6 21:53:45 LTA-SW2-PI-1 USER_MGR[tRpcsrv.00001]: user_mgr_util.c(1655) 440 %% HTTP Session 19 ended for user admin connected from 10.1.1.10 **Phase 1: Completed pre-decoding. full event: ' Mar 6 21:53:45 LTA-SW2-PI-1 USER_MGR[tRpcsrv.00001]: user_mgr_util.c(1655) 440 %% HTTP Session 19 ended for user admin connected from 10.1.1.10' **Phase 2: Completed decoding. No decoder matched.In order for it to be displayed on the dashboard, by default, it should rise an alert equal to or higher than “3”. This value is set on the label log_alert_level of the ossec.conf file (located in /var/ossec/etc/). To generate your own rules and decoder I strongly suggest you read the following links:
- https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
- https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
I hope that my answer helps you,
Mariano Koremblum
Atlas Atlas
Mar 7, 2023, 5:14:44 PM3/7/23
to Wazuh mailing list
Hello again Mariano,
you are right. i started by make a new decoder and ruleset and still same issue until i realized and i changed real USER_MGR[tRpcsrv.00001] with USER_MGR[12345] and right now it's good in logtest result :
Mar 6 21:53:45 SW2 USER_MGR[12345]: user_mgr_util.c(1655) 440 %% HTTP Session 19 ended for user admin connected from
10.1.10.100
**Phase 1: Completed pre-decoding.
full event: 'Mar 6 21:53:45 SW2 USER_MGR[12345]: user_mgr_util.c(1655) 440 %% HTTP Session 19 ended for user admin connected from 10.1.10.100'
timestamp: 'Mar 6 21:53:45'
hostname: 'SW2'
program_name: 'USER_MGR'
**Phase 2: Completed decoding.
name: 'USER_MGR'
srcip: '10.1.10.100'
srcuser: 'admin'
**Phase 3: Completed filtering (rules).
id: '100010'
level: '5'
description: 'user connected'
groups: '['local', 'syslog', 'sshd']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
**Phase 1: Completed pre-decoding.
full event: 'Mar 6 21:53:45 SW2 USER_MGR[12345]: user_mgr_util.c(1655) 440 %% HTTP Session 19 ended for user admin connected from 10.1.10.100'
timestamp: 'Mar 6 21:53:45'
hostname: 'SW2'
program_name: 'USER_MGR'
**Phase 2: Completed decoding.
name: 'USER_MGR'
srcip: '10.1.10.100'
srcuser: 'admin'
**Phase 3: Completed filtering (rules).
id: '100010'
level: '5'
description: 'user connected'
groups: '['local', 'syslog', 'sshd']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
my questions are :
> How to decode this part ? [tRpcsrv.00001]
AND THANK YOU A LOT
Mariano Koremblum
Mar 7, 2023, 6:41:18 PM3/7/23
to Wazuh mailing list
Atlas,
Be careful, are you sure that there is no space at the beginning of the log? This changes everything, please, check that out.
Best regards
Atlas Atlas
Mar 8, 2023, 8:00:15 AM3/8/23
to Wazuh mailing list
Hello Mariano,
Starting wazuh-logtest v4.3.10
Type one log per line
**Phase 2: Completed decoding.
No decoder matched.
i checked there is no space at the beginning of log ?
i put it log-alerts_level to zero in ossec.conf and same issue .
i try it logtest with failed login that can show in wazuh dashbord and this is the result of logtest for failed login that it can show in wazuh dashbord : ( i see it's different in phase1/phase2/phase3)
[root@wazuh-server ~]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.10
Type one log per line
Mar 8 13:36:51 SW2 USER_MGR[tRpcsrv.00001]: user_mgr.c(1844) 590 %% User youuu Failed to login because of authentication failures
**Phase 1: Completed pre-decoding.
full event: 'Mar 8 13:36:51 SW2 USER_MGR[tRpcsrv.00001]: user_mgr.c(1844) 590 %% User youuu Failed to login because of authentication failures'
**Phase 1: Completed pre-decoding.
full event: 'Mar 8 13:36:51 SW2 USER_MGR[tRpcsrv.00001]: user_mgr.c(1844) 590 %% User youuu Failed to login because of authentication failures'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
id: '2501'
level: '5'
description: 'syslog: User authentication failure.'
groups: '['syslog', 'access_control', 'authentication_failed']'
firedtimes: '1'
gdpr: '['IV_35.7.d', 'IV_32.2']'
gpg13: '['7.8']'
hipaa: '['164.312.b']'
mail: 'False'
nist_800_53: '['AU.14', 'AC.7']'
pci_dss: '['10.2.4', '10.2.5']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
level: '5'
description: 'syslog: User authentication failure.'
groups: '['syslog', 'access_control', 'authentication_failed']'
firedtimes: '1'
gdpr: '['IV_35.7.d', 'IV_32.2']'
gpg13: '['7.8']'
hipaa: '['164.312.b']'
mail: 'False'
nist_800_53: '['AU.14', 'AC.7']'
pci_dss: '['10.2.4', '10.2.5']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
Mariano Koremblum
Mar 8, 2023, 8:11:25 AM3/8/23
to Wazuh mailing list
Ok I asked you about the space because you have shared previously a log with a space at the beginning and I also have seen some cases where the logs start with a space, I repeat, if such space exists it changes everything, so from now on I will consider that there is no space at the beginning of the log, just as you have said.
It is not recommended to set the logging level to 0, I don't really know if that produces every single log to be collected, in the worst case, I would recommend setting it to 1.
Phases are different and they accumulate information. Phase 1 is the pre-decoding stage, it is automatic and cannot be manipulated (you could change how the log is collected, but the pre-decoding is fixed). Phase 2 is the decoding stage, in your example, it can be seen that no decoder is taking effect, if you have made your own then it is not working. Phase 3 is the rule-matching stage, in this case, the log is matching a rule that is in our default ruleset and it is setting an alert level equal to 5, so such a log should be displayed on the dashboard.
I am sorry but I got a little bit lost, how can I help you now?
I will be waiting for your reply,
Mariano Koremblum
Atlas Atlas
Mar 8, 2023, 9:56:19 AM3/8/23
to Wazuh mailing list
The issue i have is in this part
USER_MGR[tRpcsrv.00001] :
timestamp: 'Mar 6 21:53:45'
hostname: 'SW2'
program_name: 'USER_MGR'
**Phase 2: Completed decoding.
name: 'USER_MGR'
groups: '['local', 'syslog', 'sshd']'
firedtimes: '1'
mail: 'False'
because i change in logtest this USER_MGR[tRpcsrv.00001] to this USER_MGR[12345] and it's work see example :
[root@wazuh-server ~]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.10
Type one log per line
Starting wazuh-logtest v4.3.10
Type one log per line
Mar 6 21:53:45 SW2 USER_MGR[12345]: user_mgr_util.c(1655) 440 %% HTTP Session 19 ended for user admin connected from 10.1.1.10
**Phase 1: Completed pre-decoding.
full event: 'Mar 6 21:53:45 SW2 USER_MGR[12345]: user_mgr_util.c(1655) 440 %% HTTP Session 19 ended for user admin connected from 10.1.1.10'
**Phase 1: Completed pre-decoding.
full event: 'Mar 6 21:53:45 SW2 USER_MGR[12345]: user_mgr_util.c(1655) 440 %% HTTP Session 19 ended for user admin connected from 10.1.1.10'
timestamp: 'Mar 6 21:53:45'
hostname: 'SW2'
program_name: 'USER_MGR'
**Phase 2: Completed decoding.
name: 'USER_MGR'
**Phase 3: Completed filtering (rules).
id: '100010'
id: '100010'
level: '0'
description: 'User logout'
description: 'User logout'
groups: '['local', 'syslog', 'sshd']'
firedtimes: '1'
mail: 'False'
Mariano Koremblum
Mar 8, 2023, 6:30:13 PM3/8/23
to Wazuh mailing list
That is because the real log does not fit the expected format to be pre-decoded. You should create your own custom decoders and rules to make it work.
To do so, please, take a look at the following links:
- https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
- https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
Best regards,
Mariano Koremblum
Mariano Koremblum
Message has been deleted
Atlas Atlas
Mar 8, 2023, 7:50:08 PM3/8/23
to Wazuh mailing list
Hello Mariano,
is this good for my log because still can not logtest my log !!!!
Decoder :
<decoder name="USER_MGR">
<program_name>^USER_MGR</program_name>
</decoder>
<decoder name="USER_MGR">
<parent>USER_MGR</parent>
<regex>^user_mgr_util.c\D\d+\D \d+ %% HTTP Session \d+ ended for user \w+ connected from \d+.\d+.\d+.\d+</regex>
<order>srcuser, srcip</order>
</decoder>
<program_name>^USER_MGR</program_name>
</decoder>
<decoder name="USER_MGR">
<parent>USER_MGR</parent>
<regex>^user_mgr_util.c\D\d+\D \d+ %% HTTP Session \d+ ended for user \w+ connected from \d+.\d+.\d+.\d+</regex>
<order>srcuser, srcip</order>
</decoder>
Ruleset :
<rule id="100010" level="5">
<decoded_as>USER_MGR</decoded_as>
<description>switch: user logout.</description>
</rule>
<decoded_as>USER_MGR</decoded_as>
<description>switch: user logout.</description>
</rule>
Mariano Koremblum
Mar 9, 2023, 1:54:37 PM3/9/23
to Wazuh mailing list
Hi Atlas,
It won’t work, as you can see, when you use the real log, the program_name is not obtained, so you can not use that parameter to create a decoder.
Is this program name always the same? Does the log have always the same format?
Mariano Koremblum
Atlas Atlas
Mar 9, 2023, 2:52:29 PM3/9/23
to Wazuh mailing list
Hello Mariano,
after a help post to decode me the log a helper gives me this :
<decoder name="user_mgr">
<prematch>USER_MGR</prematch>
</decoder>
<decoder name="user_mgr_fields">
<parent>user_mgr</parent>
<regex>%% (\.*) (\d+.\d+.\d+.\d+)$</regex>
<order>message,srcip</order>
</decoder>
<prematch>USER_MGR</prematch>
</decoder>
<decoder name="user_mgr_fields">
<parent>user_mgr</parent>
<regex>%% (\.*) (\d+.\d+.\d+.\d+)$</regex>
<order>message,srcip</order>
</decoder>
And your rule can be simple for now until you add more conditions:
<rule id="900000" level="3">
<decoded_as>user_mgr</decoded_as>
<description>$(message) $(srcip)</description>
</rule>
<decoded_as>user_mgr</decoded_as>
<description>$(message) $(srcip)</description>
</rule>
write now i can logtest and gives me correct result.
but when i try to :
- make a logger test in windows machine terminal TO wazuh.ova VM wich is in same server with rsyslog command : logger.exe -l 192.168.1.250 -a 514 -m tcp "USER_MGR[tRpcsrv.00001]: user_mgr_util.c(1650) 495 %% HTTP Session 29 ended for user admin connected from 10.20.30.10"
- rsyslog receive logger test | it's show me that are received with command : cat /var/log/messages
- but when i search it on wazuh dashbord still can't see the log ???
Mariano Koremblum
Mar 9, 2023, 4:40:51 PM3/9/23
to Wazuh mailing list
You should not open another thread if you are already receiving assistance.
I am out of the office now, please, refer to the other thread.
Best Regards,
Mariano Koremblum
I am out of the office now, please, refer to the other thread.
Best Regards,
Mariano Koremblum
Atlas Atlas
Mar 9, 2023, 6:07:47 PM3/9/23
to Wazuh mailing list
im not telling that you didn't help me a lot.
im so thankful. the steps that i'm in are because your help.
juste i want to learn more ane more about wazuh and im still beginner im trying to get more skills in wazuh.
Thank you one more time
Reply all
Reply to author
Forward
0 new messages